commit 2ee14f029fa845c1483ce2e009e0d3f777893c0f
author Amna <amna.snene@savoirfairelinux.com> Wed Jul 24 15:15:55 2024 -0400
committer Louis Maillard <louis.maillard@savoirfairelinux.com> Thu Jul 25 14:41:15 2024 -0400
tree 6851a18835ad7a7f3a092703d51e489c7a34d8c6
parent 77e27dcb90b4e7db7828481a3f853d7f9ddf5335

tools/dnc: add authorized services on server side

The client requests to open a socket on ip:port on the server side via
the channel name. On connexion request, the server checks if
the ip:port requested is authorized.
Also add a new option in config files to configure allow-list.

Change-Id: I85253fce83874e3c1b83e545d9e4139e04a09972

tools/dnc/dnc.cpp

diff --git a/tools/dnc/dnc.cpp b/tools/dnc/dnc.cpp
index 764945c..86bb159 100644
--- a/tools/dnc/dnc.cpp
+++ b/tools/dnc/dnc.cpp
@@ -60,7 +60,8 @@
          const std::string& turn_pass,
          const std::string& turn_realm,
          const bool anonymous,
-         const bool verbose)
+         const bool verbose,
+         const std::map<std::string, std::vector<int>> authorized_services)
     :logger(verbose ? dht::log::getStdLogger() : nullptr),
     ioContext(std::make_shared<asio::io_context>()),
     iceFactory(std::make_shared<IceTransportFactory>(logger))
@@ -104,9 +105,40 @@
     std::unique_lock lk {mtx};
 
     connectionManager->onChannelRequest(
-        [&](const std::shared_ptr<dht::crypto::Certificate>&, const std::string& name) {
+        [authorized_services, this](const std::shared_ptr<dht::crypto::Certificate>&, const std::string& name) {
             // handle channel request
-            fmt::print("Channel request received: {}\n", name);
+            if (authorized_services.empty()) {
+                // Accept all connections if no authorized services are provided
+                return true;
+            }
+            // parse channel name to get the ip address and port: nc://<ip>:<port>
+            auto parsedName = parseName(name);
+            const std::string &ip = parsedName.first;
+            int port = 0;
+            try {
+                port = std::stoi(parsedName.second);
+            }
+            catch (std::exception const &err) {
+                fmt::print(stderr, "Rejecting connection: port '{}' is not a valid number", parsedName.second);
+                return false;
+            }
+
+            // Check if the IP is authorized
+            auto it = authorized_services.find(ip);
+            if (it == authorized_services.end()) {
+                // Reject the connection if the ip is not authorized
+                fmt::print("Rejecting connection to {}:{}", ip, port);
+                return false;
+            }
+
+            // Check if the port is authorized
+            const auto &ports = it->second;
+            if (std::find(ports.begin(), ports.end(), port) == ports.end()) {
+                // Reject the connection if the port is not authorized
+                fmt::print("Rejecting connection to {}:{}", ip, port);
+                return false;
+            }
+            fmt::print("Accepting connection to {}:{}", ip, port);
             return true;
         });
 
@@ -175,10 +207,11 @@
          const std::string& turn_pass,
          const std::string& turn_realm,
          const bool verbose)
-    : Dnc(identity, bootstrap,turn_host,turn_user,turn_pass, turn_realm, true, verbose)
+    : Dnc(identity, bootstrap,turn_host,turn_user,turn_pass, turn_realm, true, verbose, {})
 {
     std::condition_variable cv;
     auto name = fmt::format("nc://{:s}:{:d}", remote_host, remote_port);
+    fmt::print("Requesting socket: %s\n", name.c_str());
     connectionManager->connectDevice(
         peer_id, name, [&](std::shared_ptr<ChannelSocket> socket, const dht::InfoHash&) {
             if (socket) {